Unpatched WordPress Plugin Code-Injection Bug Afflicts 50K Sites


An CRSF-to-stored-XSS security bug plagues 50,000 ‘Contact Form 7’ Style users.

A security bug in Touch Form 7 Style, a WordPress plugin installed on over 50,000 sites, could leave malicious JavaScript injection on a victim website.

The latest WordPress plugin security vulnerability may be a cross-site request forgery (CSRF) to stored cross-site scripting (XSS) problem in touch Form 7 Style, which is an add-on to the well-known Contact Form 7 umbrella plugin. It ranks 8.8 out of 10 on the CVSS vulnerability-severity scale (CVE is pending).

CSRF allows an attacker to induce a victim user to perform actions that they are not doing . XSS allows an attacker to execute arbitrary JavaScript within the browser of a victim user. This bug connects the two approaches.

Researchers at Wordfence said that there’s no patch yet available, and versions 3.1.9 and below are affected. WordPress removed the plugin from the WordPress plugin repository on Feb. 1.

Vulnerable Contact Form 7 Style

Contact Form 7 is used to create, as its name suggests, contact forms used by websites. The vulnerable Contact Form 7 Style is an add-on which will add additional bells and whistles to those forms that are made with Contact Form 7.

It does this by allowing users to customize a site’s Cascading Style Sheets (CSS) code, which is used to dictate the appearance of WordPress-based websites. This is where the vulnerability lies, consistent with Wordfence researchers.

“Due to the shortage of sanitization and lack of nonce protection on this feature, an attacker could craft an invitation to inject malicious JavaScript on a site using the plugin,” they explained, during a posting in the week , adding that further details are going to be withheld to offer site owners an opportunity to deal with the difficulty . “If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.”

Since the amount of installed instances for the plugin is so high, thanks to the amount of web sites suffering from this plugin’s closure, we are intentionally providing minimal details about this vulnerability to supply users ample time to seek out an alternate solution. We may provide additional details later as we still monitor things .

To exploit the flaw, cyber attackers would wish to convince a logged-in administrator to click on a malicious link, which may be done via any of the common social-engineering approaches (i.e., through a fraudulent email or instant message).

Wordfence notified the plugin’s developer about the bug in early December; after receiving no response, the researchers then escalated the issue to the WordPress Plugins team in early January. The WordPress Plugins team also contacted the developer with no response, resulting in the disclosure in the week .

How to Protect Against Malicious JavaScript Injection

Because, like all CSRF vulnerabilities, the bug can only be exploited if an admin user performs an action while authenticated to the vulnerable WordPress site, admins should be wary when clicking on any links.

“If you are feeling you want to click a link, we recommend using incognito windows once you are unsure of a few links or attachment,” consistent with Wordfence. “This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities.”

In this case, users should also deactivate and remove the Contact Form 7 Style plugin and find a replacement, researchers added, since no patch appears to be forthcoming.


Please enter your comment!
Please enter your name here